What This Document Covers

This document describes common configuration steps to perform after your installation of FIM 2010 is complete. The steps presented here are one-time configuration steps and procedures to be performed after a successful installation. This document assumes that you have successfully installed the product and followed the procedures in the Installation Guide.

Prerequisite Knowledge

This document assumes that you have a basic understanding of the following:

Active Directory® Domain Services (AD DS)

FIM 2010

Microsoft® SQL Server® 2008

Windows® SharePoint® Services 3.0

Microsoft Exchange Server® 2007 or Exchange Server 2010

This document assumes that you also have a basic understanding of FIM 2010 and its main concepts. While not required, it is highly recommended that you familiarize yourself with the concept of inbound synchronization rules and how they work, as described in Understanding Data Synchronization with External Systems. This guide refers to settings that you used during your installation of FIM 2010. We recommend that you have those settings available before you begin the procedures.

Audience

This document is intended for IT planners, systems architects, technology decision-makers, consultants, infrastructure planners, and IT personnel who plan to deploy FIM 2010.

Create a Backup Administrator account for the FIMService after installation

Members of the FIMService Administrators set have unique permissions critical to the operation of your FIM deployment. If you are unable to logon as part of the Administrators set, the only resolution is to roll back to a previous backup of the system. To mitigate this situation, we recommend that you add other users to the FIM Administrative set as part of your post-installation configuration.

Warning

Deleting or modifying certain resources

Deleting or modifying certain default resources within the FIM Portal can disrupt operations or even render the portal inoperable. The following is a list of resources that should never be deleted from the FIM portal:

Default Administrator in the Administrators Set

Administrators Set

Default RCDC objects

Default MPRs

To resolve this issue, you will need to restore the FIM database from backup or contact Microsoft Product Support.

Additionally, changes to certain default RCDC resource attributes will result in the RCDC object being replaced. The FIM Portal references default RCDC resources by their GUID. When these are deleted the GUID is no longer available and the FIM Portal is unable to reference them. The following is a list of these attributes:

DisplayName

AppliesToCreate

AppliesToEdit

AppliesToView

When these attributes are modified, a new GUID is created for the RCDC object. At this point, the FIM Portal is unaware of the RCDC object because it is unaware of the new GUID.

SQL Server Database Configuration

Configuration of SQL Server is critical for optimal system performance. Achieving optimal FIM performance in large-scale deployment scenarios depends on applying best practices for SQL Server. The guidance in this section applies to both the FIM Service Database and the FIM Synchronization Database. We recommend that you apply the following SQL Server best practices:

Presize data and log files

Do not rely on AUTOGROW. Instead, manage the growth of these files manually. You may leave AUTOGROW ON for safety reasons, but you should manage the growth of the data files proactively. You can find sample sizes for the FIM database in the FIM Capacity Planning Guide.

To presize data and log files

Start SQL Server Enterprise Manager.

Right-click the database FIMService, and then click Properties.

On the Files page, expand the database files to the required size.

Isolate log files from data files

Follow SQL Server best practices for isolating the transaction files and the data log files for the databases onto separate physical disks.

Create additional tempdb files

For optimal performance, we recommend that you create one data file per CPU core in the tempdb. As for log and data files, you should also adequately presize your tempdb files and rely on AUTOGROW ON only for safety reasons.

To create additional tempdb files

Start SQL Server Enterprise Manager.

Navigate to the database tempdb in System Databases, right-click tempdb, and then click Properties.

On the Files page, create one data file per CPU core. Make sure that you separate the tempdb Data and Log files on different drives and spindles.

Ensure adequate space for log files

Make sure that you know your recovery model’s disk requirements. Simple recovery mode may be appropriate during initial system load, to limit the use of disk space, but you might have exposure to data loss since the most recent backup. When you use full recovery mode, you have to manage the disk use through backups, which includes frequent backups of the transaction log to prevent high disk space usage. For more information about managing recovery, see Recovery Model Overview (http://go.microsoft.com/fwlink/?LinkID=185370)

Limit SQL Server memory use

Depending on how much memory you have on your computer running SQL Server and if you share the SQL Server on that computer with other services, such as FIMService and FIMSynchronizationService, you might want to restrict the memory consumption of SQL Server. You can use the following procedure to limit SQL Server memory use.

Configure synchronization rule provisioning

This section explains how to configure the FIM Synchronization Service to support declarative provisioning and the use of synchronization rules in FIM. First, you have to turn on synchronization rule processing in the Synchronization Service Manager.

Note

To perform this procedure, you must be a member of the FIMSyncAdmins role for the FIM Synchronization Service.

To turn on synchronization rule provisioning

Open the Synchronization Service Manager.

On the Tools menu, click Options.

Select Enable Synchronization Rule Provisioning.

To close the Options dialog box, click OK.

Active Directory–to–FIM 2010 Initial Data Load

One basic requirement of an identity management system is the ability to import and process identity data from an external system. One of the first steps in your deployments is to import and process existing users and possibly groups from Active Directory or AD DS to FIM 2010. Before you do this, you should have completed the System Data Flow design to establish the connection systems relationships and required data flows. This is a one-time operation; it is not a continuous synchronization.

For details about setting up the synchronization of user data from Active Directory to FIM, see How Do I Synchronize Users from Active Directory Domain Services to FIM. Before you perform the procedures in this guide, complete the following steps to optimize your system for the initial, one-time configuration. The settings described here are temporary. You should set them only for the initial load of the data into the system.

Step 1: Configure SQL Server for the initial data load

When you load a lot of data, you can shorten the time it takes to populate the database by temporarily turning off the full text search. You can enable it again after the export on the FIM Management Agent is complete. Complete the following steps to temporarily turn off full text search:

It is important to understand the disk requirements in the SQL Server recovery model. Depending on your backup schedule, you may consider using simple recovery mode during initial system load to limit disk space usage. However, you should be aware of the implications regarding potential data loss. When you use full recovery mode, you must manage disk use through backups, including frequent backups of the transaction log to prevent high disk space use.

Important

Not implementing these procedures can result in high disk space use, possibly resulting in running out of disk space. For more information, see Recovery Model Overview (http://go.microsoft.com/fwlink/?LinkID=185370). The FIM 2010 Backup and Restore Guide contains additional information.

During the initial load process, apply only the minimum configuration required to your FIM configuration in terms of MPRs and et definitions. After the data is loaded, create the additional sets required for your deployment. Use the run-on policy update setting on action workflows to apply those policies retroactively on the loaded data.

Step 3: Configure and populate the FIM Service with external identity data

Step 4: Apply your full FIM configuration

When your initial data load is complete, you are ready to apply the full FIM configuration for your deployment. Depending on your scenarios, this may include the creation of additional sets, MPRs, and workflows. For any policies that you need to apply retroactively to all existing objects in the system, use the run-on policy update setting on action workflows to apply those policies retroactively on the loaded data.

Step 5: Reconfigure SQL Server to previous settings

Remember to change the SQL Server settings to the normal settings, including the following:

If you have switch to simple recovery mode, ensure that you reconfigure your backup schedule in accordance with your organization’s backup policy. Additional details of FIM backup schedules are available in the FIM 2010 Backup and Restore Guide.

Configuring General MPRs

If you plan to allow nonadministrator users to have access to the portal and the ability to view other users’ basic information, enable this configuration in the FIM Service. You do this by configuring existing MPRs in the system.

Configure the MPRs in the following table.

Display name

General: Users can read non-administrative configuration resources

User management: Users can read attributes of their own

To enable required MPRs

To open the FIM Portal, start Internet Explorer, and then navigate to http://localhost/identitymanagement/default.aspx.

Note

You may need to substitute this with the URL you have configured for your FIM portal.

On the FIM Portal home page, click Management Policy Rules in the navigation bar to open the Management Policy Rules page.

In the Search for text box, type the display name of each of the MPRs from the previous table, and then click the Search for button.

For each MPR that is listed as disabled, do the following:

To open the configuration dialog box, click the Display Name of the disabled MPR.

Clear the Policy is disabled check box, and then click OK.

On the Summary page, click Submit.

You may plan to allow users to view the basic attributes of other users, for example, to be able to search and view information of users before adding them to distribution groups. If so, you should also configure the MPR in the following table using the previous procedure.

Display name

User management: Users can read selected attributes of other users

Note

You may need to customize the list of attributes in this MPR based on your organizational policy and needs.

You may need to set further MPR configuration based on your scenarios. See the Documentation Roadmap for additional details in the suggested topics.

Enable WCF Performance Counters

FIM 2010 uses WCF performance counters to monitor service use. Monitoring service use with WCF performance counters is an optional step to enable when you are diagnosing performance problems. It is not necessary to leave performance counters enabled for normal operations. To enable and configure WCF performance counters, see WCF Performance Counters (http://go.microsoft.com/fwlink/?LinkId=164848).

We recommend that you configure ServiceOnly WCF performance counters. However, to see Endpoint and Operation instances, it is necessary to configure all WCF performance counters.

Summary

The procedures in this guide are common configuration steps to complete after the installation of FIM 2010. You will have to perform additional configuration, depending on the types of scenarios that you plan to implement in your deployment. For example, if you plan to deploy password reset capabilities, you should continue your configuration based on the recommendations in Password Reset Deployment Guide. See the Documentation Roadmap for additional details in suggested topics.